How We Used the Latest Windows10 Technology to Build an Isolated Workspace-as-a-Service — Hysolate

Protect corporate devices with isolated workspaces for high-risk activities

  • Complete guest to host isolation between the two environments, so in case the productivity environment is compromised, the host OS remains safe.
  • A separate network stack that allows users to access web pages that were previously blocked by the corporate proxy, with increased privacy. Malware getting into the productivity environment must remain isolated also on the network level, not being able to spread to other corporate devices and servers.
  • Excellent performance, allowing users to use apps like Zoom for work (that might have been prohibited before, due to recent vulnerabilities ) but also to watch Netflix in their personal time.

Secure corporate access from BYOD

  • Strong host to guest isolation between the two environments, keeping the corporate data secured from potential malware on the host.
  • Immediate provisioning and no OS management overhead — IT doesn’t want to manage more (even if virtual) OSes or maintain heavy deployment methods.
  • Helium — application isolation, based on filesystem and registry virtualization. Used mainly for Windows Store Apps containerization. No security guarantees.
  • Argon — user session isolation, with a shared kernel. No security boundary.
  • Krypton — hypervisor isolation — a container running on a lightweight Hyper-V VM, which is based on the host kernel. Resistant to kernel attacks.
  • Xenon — hypervisor isolation used for hostile multi-tenant hosting. The VM can be based on multiple different kernels. Also known as Hyper-V Containers.
  • Improved memory management — the container’s memory is managed dynamically by the host’s kernel, as if it was a simple application. Unlike traditional VMs, where memory is preallocated regardless of actual usage in the guest or the host, leading to inefficient utilization.
  • Improved scheduler and CPU usage — the guest’s scheduling is done from the host’s kernel, as if it was another process, leveraging some of the advanced NT scheduling features. That leads to better CPU utilization and reduced power/battery consumption.
  • Paravirtualized GPU — the hypervisor can expose a fully paravirtualized GPU, with full DirectX support, allowing to use modern hardware-accelerated applications inside the container. Traditional VMs usually emulate the GPU in software, providing poor performance and high CPU usage.

Networking

Hysolate IWaaS provides administrators full networking controls, where they can enforce networking access based on IP addresses, protocols, and unlike with most hypervisors, also by domain names — similar to advanced firewalls. We then apply the administrator’s policy as Windows Filtering Platform rules, that provide excellent security (Windows Firewall and other filtering features are using it too) and performance. To make security even better, the enforcement happens outside of the container, on a dedicated Hyper-V virtual switch, making it not vulnerable to attacks from inside the container. For example, DNS requests that originate from the container, are intercepted by our DNS proxy and are sent to the target only if allowed by the policy.

More security

While we’ve set strong hypervisor-enforced boundaries between the container and the host, those boundaries sometimes need to be crossed in a controlled way. We provide administrators with an easy but powerful way to control how data is transferred between the environments. For instance, in the secure BYOD use case, it’s possible to allow file transfers only to the host, to reduce the chance of copying an infected file into the corporate environment, but allow copying text both ways.

UX and usability

We’ve worked hard to make IWaaS friendly and intuitive to both administrators and end-users. On the administration part, we’ve built our management console as a cloud service. This makes it easy to use, without the overhead of hosting, maintaining and securing the console, which we take care of for you at the highest standards, with SOC 2 and ISO 27001 certification. With the integration to your existing identity provider, such as Azure Active Directory, it’s easy to invite specific users or a group of users to start using IWaaS.

Learn more about IWaaS and the other cool things we’ve built into it. Request a demo with a specialist to see for yourself.

About the Author

Oleg is a Software Engineer and Cyber Security veteran, with over 15 years of experience. At Hysolate, Oleg led an engineering team for several years, after which he joined as an architect to the CTO’s office and has pioneered the next-gen products. Prior to Hysolate, Oleg worked at companies such as Google and Cellebrite, where he did both software engineering and security research. He began his career in the intelligence unit 8200 of the IDF and holds a B.Sc in Computer Science, Cum Laude, from the Technion.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hysolate

Hysolate

Hysolate is a software platform that enables locally deploying and remotely managing virtual, secured, environments on a single endpoint.